public virtual IObjectPermission AddObjectPermission <TSource, TargetType>(SecurityOperation operation, OperationState state, Expression <Func <TSource, TargetType, bool> > criteria) where TSource : BaseSecurityDbContext
{
var objectPermission = new ObjectPermission <TSource, TargetType>(operation, state, criteria);
permissions.Add(objectPermission);
return(objectPermission);
}
public ObjectPermission(SecurityOperation operations, OperationState state, Expression <Func <TSource, TargetType, bool> > criteria)
{
Type = typeof(TargetType);
Operations = operations;
OperationState = state;
Criteria = criteria;
}
public virtual IMemberPermission AddMemberPermission <TSource, TargetType>(SecurityOperation operation, OperationState state, string memberName, Expression <Func <TSource, TargetType, bool> > criteria) where TSource : BaseSecurityDbContext
{
if (operation.HasFlag(SecurityOperation.Create))
{
throw new ArgumentException("The create value of the 'operations' parameter is incorrect in this context. Only the Read and Write operations can be granted by a member permission.");
}
if (operation.HasFlag(SecurityOperation.Delete))
{
throw new ArgumentException("The delete value of the 'operations' parameter is incorrect in this context. Only the Read and Write operations can be granted by a member permission.");
}
Type targetType = typeof(TargetType);
PropertyInfo targetMember = targetType.GetProperty(memberName);
if (targetMember == null)
{
throw new ArgumentException(string.Format("{0} type doesn't contain {1} property.", targetType.Name, memberName));
}
var memberPermission = new MemberPermission <TSource, TargetType>(operation, state, memberName, criteria);
memberPermission.Type = typeof(TargetType);
memberPermission.Operations = operation;
memberPermission.OperationState = state;
permissions.Add(memberPermission);
return(memberPermission);
}
/// <summary>
/// 判断权限
/// 用于判断增加权限
/// </summary>
/// <param name="so">权限操作类型</param>
/// <param name="formid">窗体ID</param>
/// <returns></returns>
public bool CheckAuth(SecurityOperation so, int formid)
{
bool bResult = false;
//如果是超级用户则直接返回True
if (IsAdmin)
{
bResult = true;
}
else
{
foreach (Hashtable ht in GetFormSecurity(formid))
{
//增加权限,只要设置的不为None,其他的都具有
if (so == SecurityOperation.Add)
{
if ((SecurityOperationValue)ht[so] != SecurityOperationValue.None)
{
bResult = true;
if (bResult)
{
return(bResult);
}
}
}
}
}
return(bResult);
}
private ResultProcessOperation IsGrantedByObject(Type type, SecurityOperation operation, object targetObject)
{
ResultProcessOperation result = ResultProcessOperation.NotContainTargetPermissions;
IEnumerable <IObjectPermission> objectPermissions = GetObjectPermissions(type).Where(p => p.Operations.HasFlag(operation));
List <bool> objectPermissionsStates = new List <bool>();
foreach (IObjectPermission objectPermission in objectPermissions)
{
OperationState operationState = objectPermission.OperationState;
LambdaExpression criteriaExpression = objectPermission.Criteria;
bool permissionResult = GetPermissionCriteriaResult(criteriaExpression, targetObject);
if (permissionResult)
{
if (operationState == OperationState.Allow)
{
objectPermissionsStates.Add(true);
}
else
{
objectPermissionsStates.Add(false);
}
}
}
result = MergePermissionsStates(objectPermissionsStates);
return(result);
}
public bool IsGranted(Type type, SecurityOperation operation, object targetObject, string memberName)
{
ResultProcessOperation result = ResultProcessOperation.NotContainTargetPermissions;
if (!IsSecuredType(type))
{
result = ResultProcessOperation.Allow;
}
if (targetObject != null && !string.IsNullOrEmpty(memberName))
{
result = IsGrantedByMember(type, operation, targetObject, memberName);
}
if (result == ResultProcessOperation.NotContainTargetPermissions && targetObject != null)
{
result = IsGrantedByObject(type, operation, targetObject);
}
if (result == ResultProcessOperation.NotContainTargetPermissions)
{
result = IsGrantedByType(type, operation);
}
if (result == ResultProcessOperation.NotContainTargetPermissions)
{
result = IsGrantedByOperation(operation) ? ResultProcessOperation.Allow : ResultProcessOperation.Deny;
if (result == ResultProcessOperation.Deny && targetObject != null && string.IsNullOrEmpty(memberName))
{
result = IsAnyMemberGranted(type, operation, targetObject);
}
}
if (result == ResultProcessOperation.NotContainTargetPermissions)
{
throw new ArgumentOutOfRangeException();
}
return((result == ResultProcessOperation.Allow) ? true : false);
}
private ResultProcessOperation IsGrantedByMember(Type type, SecurityOperation operation, object targetObject, string memberName)
{
ResultProcessOperation result;
var memberPermissions = GetMemberPermissions(type).Where(p => p.Operations.HasFlag(operation));
List <bool> memberPermissionsStates = new List <bool>();
foreach (IMemberPermission memberPermission in memberPermissions)
{
string currentMemberName = memberPermission.GetType().GetProperty("MemberName").GetValue(memberPermission, null) as string;
if (memberName != currentMemberName)
{
continue;
}
OperationState operationState = memberPermission.OperationState;
LambdaExpression criteriaExpression = memberPermission.Criteria;
bool permissionResult = GetPermissionCriteriaResult(criteriaExpression, targetObject);
if (permissionResult)
{
if (operationState == OperationState.Allow)
{
memberPermissionsStates.Add(true);
}
else
{
memberPermissionsStates.Add(false);
}
}
}
result = MergePermissionsStates(memberPermissionsStates);
return(result);
}
public PermissionSet GetObjectDefPermissions(Guid objectId, SecurityOperation operation)
{
var cached = ObjectDefPermissionCache.Find(objectId);
if (cached != null)
{
return(cached.CachedObject);
}
IQueryable <Guid> permissions;
var edc = DataContext.GetEntityDataContext();
if (operation == SecurityOperation.Access)
{
permissions = edc.Entities.Permission_Defs.Include("Permissions")
.Where(d => d.Def_Id == objectId && (d.Access_Type == null || d.Access_Type == 0) &&
(d.Permission.Deleted == null || d.Permission.Deleted == false))
.Select(d => d.Permission_Id);
}
else
{
var op = (int)operation;
permissions = edc.Entities.Permission_Defs.Include("Permissions")
.Where(d => d.Def_Id == objectId && d.Access_Type == op &&
(d.Permission.Deleted == null || d.Permission.Deleted == false))
.Select(d => d.Permission_Id);
}
var permissionSet = new PermissionSet(permissions);
ObjectDefPermissionCache.Add(permissionSet, objectId);
return(permissionSet);
}
public MemberPermission(SecurityOperation operations, OperationState operationState, string memberName, Expression <Func <TSource, TargetType, bool> > criteria)
{
Type = typeof(TargetType);
Operations = operations;
OperationState = operationState;
MemberName = memberName;
Criteria = criteria;
}
public static void AddOnePermission(SecurityDbContext securityDbContext, SecurityOperation operation)
{
securityDbContext.PermissionsContainer.SetPermissionPolicy(PermissionPolicy.DenyAllByDefault);
Expression <Func <DbContextMultiClass, DbContextObject1, bool> > criteria = (db, obj) => obj.Description.StartsWith("Description");
foreach (SecurityOperation securityOperation in GetSecurityOperations())
{
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, criteria);
}
}
public virtual IObjectPermission AddObjectPermission <TSource, TargetType>(SecurityOperation operation, OperationState state, Expression <Func <TSource, TargetType, bool> > criteria) where TSource : BaseSecurityDbContext
{
SecurityObjectPermission objectPermission = new SecurityObjectPermission();
objectPermission.Type = typeof(TargetType);
objectPermission.Criteria = criteria;
objectPermission.Operations = operation;
objectPermission.OperationState = state;
this.ObjectPermissions.Add(objectPermission);
return(objectPermission);
}
public virtual ITypePermission SetTypePermission(Type type, SecurityOperation operation, OperationState state)
{
TypePermission typePermission = FindFirstTypePermission(type);
if (typePermission == null)
{
typePermission = new TypePermission(type);
permissions.Add(typePermission);
}
typePermission.Operations = operation;
typePermission.OperationState = state;
return(typePermission);
}
private bool IsGrantedByOperation(SecurityOperation operation)
{
bool result;
IEnumerable <IPolicyPermission> operationPermissions = permissionsProvider.GetPermissions().OfType <IPolicyPermission>();
if (operationPermissions.Count() != 0)
{
result = operationPermissions.Any(p => p.Operations.HasFlag(operation));
}
else
{
result = DefaultOperationsAllow.HasFlag(operation);
}
return(result);
}
public void SecurityValidator_DisallowsOperationOnNoteVote_WrongParticipant(SecurityOperation securityOperation)
{
// Given
Retrospective retro = GetRetrospectiveInStage(RetrospectiveStage.Voting);
var noteVote = new NoteVote {
ParticipantId = 1
};
this._currentParticipantService.SetParticipant(new CurrentParticipantModel(2, String.Empty, false));
// When
TestDelegate action = () => this._securityValidator.EnsureOperation(retro, securityOperation, noteVote).GetAwaiter().GetResult();
// Then
Assert.That(action, Throws.InstanceOf <OperationSecurityException>());
}
public void SecurityValidator_AllowsOperationOnNote_IsFacilitator(SecurityOperation securityOperation)
{
// Given
Retrospective retro = GetRetrospectiveInStage(RetrospectiveStage.Grouping);
var noteGroup = new NoteGroup {
Title = "G"
};
this._currentParticipantService.SetParticipant(new CurrentParticipantModel(212, String.Empty, true));
// When
TestDelegate action = () => this._securityValidator.EnsureOperation(retro, securityOperation, noteGroup).GetAwaiter().GetResult();
// Then
Assert.That(action, Throws.Nothing);
}
public void SecurityValidator_AllowsOperationOnNote_CorrectParticipant(SecurityOperation securityOperation)
{
// Given
Retrospective retro = GetRetrospectiveInStage(RetrospectiveStage.Writing);
var note = new Note {
ParticipantId = 212
};
this._currentParticipantService.SetParticipant(new CurrentParticipantModel(212, String.Empty, false));
// When
TestDelegate action = () => this._securityValidator.EnsureOperation(retro, securityOperation, note).GetAwaiter().GetResult();
// Then
Assert.That(action, Throws.Nothing);
}
public virtual IMemberPermission AddMemberPermission <TSource, TargetType>(SecurityOperation operation, OperationState state, string memberName, Expression <Func <TSource, TargetType, bool> > criteria) where TSource : BaseSecurityDbContext
{
if (operation.HasFlag(SecurityOperation.Create))
{
throw new ArgumentException("The create value of the 'operations' parameter is incorrect in this context. Only the Read and Write operations can be granted by a member permission.");
}
if (operation.HasFlag(SecurityOperation.Delete))
{
throw new ArgumentException("The delete value of the 'operations' parameter is incorrect in this context. Only the Read and Write operations can be granted by a member permission.");
}
SecurityMemberPermission memberPermission = new SecurityMemberPermission();
memberPermission.Type = typeof(TargetType);
memberPermission.Criteria = criteria;
memberPermission.Operations = operation;
memberPermission.OperationState = state;
memberPermission.MemberName = memberName;
this.MemberPermissions.Add(memberPermission);
return(memberPermission);
}
public async ValueTask EnsureOperation(Session session, SecurityOperation operation, object entity)
{
if (session == null)
{
throw new ArgumentNullException(nameof(session));
}
if (entity == null)
{
throw new ArgumentNullException(nameof(entity));
}
CurrentParticipantModel participant = await this.GetAuthenticatedParticipant(operation, entity.GetType());
if (operation == SecurityOperation.AddOrUpdate || operation == SecurityOperation.Delete)
{
this.EnsureOperationSecurity(operation, entity, participant);
}
this.InvokeTypeSecurityChecks(operation, session, participant, entity);
}
private ResultProcessOperation IsAnyMemberGranted(Type type, SecurityOperation operation, object targetObject)
{
ResultProcessOperation result = ResultProcessOperation.Deny;
IEntityType entityType = securityDbContext.RealDbContext.Model.FindEntityType(targetObject.GetType());
IEnumerable <INavigation> navigationPropertys = entityType.GetNavigations();
foreach (var property in targetObject.GetType().GetTypeInfo().DeclaredProperties)
{
if (property.GetGetMethod().IsStatic || navigationPropertys.Any(p => p.Name == property.Name))
{
continue;
}
string propertyName = property.Name;
IProperty propertyMetadata = securityDbContext.RealDbContext.Entry(targetObject).Metadata.GetProperties().FirstOrDefault(p => p.Name == propertyName);
if (propertyMetadata == null || propertyMetadata.IsKey())
{
continue;
}
bool isGranted = IsGranted(targetObject.GetType(), operation, targetObject, propertyName);
if (isGranted)
{
result = ResultProcessOperation.Allow;
break;
}
}
if (result == ResultProcessOperation.Deny)
{
foreach (INavigation navigationProperty in navigationPropertys)
{
bool isGranted = IsGranted(targetObject.GetType(), operation, targetObject, navigationProperty.Name);
if (isGranted)
{
result = ResultProcessOperation.Allow;
break;
}
}
}
return(result);
}
private ResultProcessOperation IsGrantedByType(Type type, SecurityOperation operation)
{
ResultProcessOperation result;
IEnumerable <ITypePermission> typePermissions = GetTypePermissions(type).Where(p => p.Operations.HasFlag(operation));
if (typePermissions.Count() != 0)
{
if (AllowPermissionsPriority)
{
result = typePermissions.Any(p => p.OperationState == OperationState.Allow)
? ResultProcessOperation.Allow : ResultProcessOperation.Deny;
}
else
{
result = typePermissions.Any(p => p.OperationState == OperationState.Deny)
? ResultProcessOperation.Deny : ResultProcessOperation.Allow;
}
}
else
{
result = ResultProcessOperation.NotContainTargetPermissions;
}
return(result);
}
public static ITypePermission SetTypePermission <T>(this IPermissionsContainer PermissionsContainer, SecurityOperation operation, OperationState state) where T : class
{
return(PermissionsContainer.SetTypePermission(typeof(T), operation, state));
}
/// <summary>
/// 判断权限
/// 用于判断查询,修改,删除,打印权限
/// </summary>
/// <param name="so">权限操作类型</param>
/// <param name="formid">窗体ID</param>
/// <param name="suserid">制单人</param>
/// <returns></returns>
public bool CheckAuth(SecurityOperation so, int formid, string suserid)
{
bool bResult = false;
//如果是超级用户则直接返回True
if (IsAdmin)
{
bResult = true;
}
else if (suserid == "")
{
bResult = true;
}
else
{
foreach (Hashtable ht in GetFormSecurity(formid))
{
switch ((SecurityOperationValue)ht[so])
{
case SecurityOperationValue.None:
{
bResult = false;
break;
}
case SecurityOperationValue.Self:
{
bResult = CurrentUserID.ToLower() == suserid.ToLower();
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.Underling:
{
bResult = GetUserUnderlingStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.SelfAndUnderling:
{
bResult = GetUserSelfAndUnderlingStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.Department:
{
bResult = GetUserDeptStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.DeptUnderling:
{
bResult = GetUserUnderDeptStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.DepartmentAndUnderling:
{
bResult = GetUserDeptAndUnderDeptStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return bResult;
}
break;
}
case SecurityOperationValue.All:
{
bResult = true;
if (bResult)
{
return bResult;
}
break;
}
default:
{
bResult = false;
break;
}
}
}
}
return bResult;
}
/// <summary>
/// 判断权限
/// 用于判断增加,单价,数量,属性,导出权限
/// </summary>
/// <param name="so">权限操作类型</param>
/// <param name="formid">窗体ID</param>
/// <returns></returns>
public bool CheckAuth(SecurityOperation so, int formid)
{
bool bResult = false;
//如果是超级用户则直接返回True
if (IsAdmin)
{
bResult = true;
}
else
{
foreach (Hashtable ht in GetFormSecurity(formid))
{
//增加,单价,数量,属性,导出权限,只要设置的不为None,其他的都具有
if (so == SecurityOperation.Add || so == SecurityOperation.Num
|| so == SecurityOperation.Price || so == SecurityOperation.Property
|| so == SecurityOperation.OutPut)
{
if ((SecurityOperationValue)ht[so] != SecurityOperationValue.None)
{
bResult = true;
if (bResult)
{
return bResult;
}
}
}
}
}
return bResult;
}
public static void AddMultiplePermissions(SecurityDbContext securityDbContext, SecurityOperation operation)
{
securityDbContext.PermissionsContainer.SetPermissionPolicy(PermissionPolicy.DenyAllByDefault);
Expression <Func <DbContextMultiClass, DbContextObject1, bool> > criteria1 = (db, obj) => obj.Description.StartsWith("Description");
Expression <Func <DbContextMultiClass, DbContextObject1, bool> > criteria2 = (db, obj) => obj.Description.Length > 2;
Expression <Func <DbContextMultiClass, DbContextObject1, bool> > criteria3 = (db, obj) => !obj.Description.Contains("SomeBadPhrase");;
foreach (SecurityOperation securityOperation in GetSecurityOperations())
{
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, criteria1);
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, criteria2);
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, criteria3);
}
}
public static void AddOneCollectionPermission(SecurityDbContext securityDbContext, SecurityOperation operation)
{
securityDbContext.PermissionsContainer.SetPermissionPolicy(PermissionPolicy.DenyAllByDefault);
Expression <Func <DbContextConnectionClass, Company, bool> > companyCriteria = (db, obj) => obj.Description.StartsWith("Description");
foreach (SecurityOperation securityOperation in GetSecurityOperations())
{
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, companyCriteria);
}
Expression <Func <DbContextConnectionClass, Office, bool> > officeCriteria = (db, obj) => obj.Description.StartsWith("Description");
foreach (SecurityOperation securityOperation in GetSecurityOperations())
{
securityDbContext.PermissionsContainer.AddObjectPermission(securityOperation, OperationState.Allow, officeCriteria);
}
Expression <Func <DbContextConnectionClass, Company, bool> > memberOfficeCriteria = (db, obj) => obj.Description.StartsWith("Description");
foreach (SecurityOperation securityOperation in GetMembersSecurityOperations())
{
securityDbContext.PermissionsContainer.AddMemberPermission(securityOperation, OperationState.Allow, "Offices", memberOfficeCriteria);
}
}
public static bool IsGranted(this IPermissionProcessor processor, Type type, SecurityOperation operation)
{
return(processor.IsGranted(type, operation, null, ""));
}
public static void HandleOperation(SecurityOperation operation, Retrospective retrospective, object entity, in CurrentParticipantModel currentParticipant)
public void SecurityValidator_DisallowsOperationOnNote_UnauthenticatedParticipant(SecurityOperation securityOperation)
{
// Given
Retrospective retro = GetRetrospectiveInStage(RetrospectiveStage.Writing);
var note = new Note {
ParticipantId = 1
};
this._currentParticipantService.Reset();
Assume.That(this._currentParticipantService.GetParticipant().Result, Is.EqualTo(default(CurrentParticipantModel)));
// When
TestDelegate action = () => this._securityValidator.EnsureOperation(retro, securityOperation, note).GetAwaiter().GetResult();
// Then
Assert.That(action, Throws.InstanceOf <OperationSecurityException>());
}
public PolicyPermission([NotNull] SecurityOperation operations)
{
Operations = operations;
}
/// <summary>
/// 判断权限
/// 用于判断查询,修改,删除,打印权限
/// </summary>
/// <param name="so">权限操作类型</param>
/// <param name="formid">窗体ID</param>
/// <param name="lano">制单人</param>
/// <returns></returns>
public bool CheckAuth(SecurityOperation so, int formid, string suserid)
{
bool bResult = false;
//如果是超级用户则直接返回True
if (IsAdmin)
{
bResult = true;
}
else if (suserid == "")
{
bResult = true;
}
else
{
foreach (Hashtable ht in GetFormSecurity(formid))
{
////增加权限,只要设置的不为None,其他的都具有
//if (so == SecurityOperation.Add)
//{
// if ((SecurityOperationValue)GetFormSecurity(formid)[so] != SecurityOperationValue.None)
// {
// bResult = true;
// }
//}
//else
//{
switch ((SecurityOperationValue)ht[so])
{
case SecurityOperationValue.None:
{
bResult = false;
break;
}
case SecurityOperationValue.Self:
{
bResult = CurrentUserID.ToLower() == suserid.ToLower();
if (bResult)
{
return(bResult);
}
break;
}
case SecurityOperationValue.Underling:
{
bResult = GetUserUnderlingStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return(bResult);
}
break;
}
case SecurityOperationValue.SelfAndUnderling:
{
bResult = GetUserSelfAndUnderlingStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return(bResult);
}
break;
}
case SecurityOperationValue.Department:
{
bResult = GetUserDeptStr.ToLower().Contains(suserid.ToLower());
if (bResult)
{
return(bResult);
}
break;
}
case SecurityOperationValue.All:
{
bResult = true;
if (bResult)
{
return(bResult);
}
break;
}
default:
{
bResult = false;
break;
}
}
}
}
return(bResult);
}
private async ValueTask <CurrentParticipantModel> GetAuthenticatedParticipant(SecurityOperation operation, Type entityType)
{
CurrentParticipantModel participant = await this._currentParticipantService.GetParticipant();
public static bool IsGranted(this IPermissionProcessor processor, Type type, SecurityOperation operation, object targetObject)
{
return(processor.IsGranted(type, operation, targetObject, ""));
}
